Thank you all for the last 6 years or so. It has been fun (sometimes) and many times not so much fun. Unfortunately I have had enough and I don't want to be associated with this project anymore.

I'm sure most people (the ones who matter) can understand why. If someone doesn't, I could not care less. Take care.

Please do not reply to this email.

--Jani

p.s. Delete my CVS account. I have no use for it anymore.

When I give my security presentations on cryptography, a common security flaw that I like to bring up is using 3rd party programs to send email to others which looks as though it came from a certain account; in this case, Jani's email at iki.fi. Heck, even a little JavaScript can do the trick.

Once, while giving a presentation to university class, I told the class the following scenario:

If you were to receive an email in your inbox from your professors email address, would you believe it was send from him? Of course you would. There would be no reason not to. At least not yet.

What if the email said that due to a family emergency, he would no longer be able to instruct the class, and that everyone will get an 'A' for the course. The email would say further, don't bother attending class or responding to the email as he will be out of town taking care of the family emergency. Also, he'll have all the details worked out with the school.

Would you still believe the email is legit?

Not surprisingly, everyone in the class, including the professor, said they would totally believe the email, and quit attending class. Only a handful of students said that they would stay in contact with the school administration making sure all the details went smooth. It is unfortunate that they would be the only ones, with the professors help, smoothing out the scam.

What is the point? The point is to generate a public cryptography key-pair, and begin digitally signing all of your emails. This way, everyone can be assured that the email did in fact come from whomever it says it came from, so long as the email validates, and the necessary steps have been taken to ensure the public key belongs to the actual owner.

Right now at this point, I am not believing the email. I believe that it is scam, and the wrinkles will be smoothed out soon. Hopefully, Jani signs his emails, and will be able to refute this nonsense. However, if the email is legit, confusion could have been avoided if the email was just signed. It will undoubtedly be a big loss for the PHP community.

I've said it before, and I'll say it again: If you receive an email from me and it is not signed, or the signature fails, you should question the authenticity of the email text and whether or not it did actually come from me. I go to great lengths to ensure that my email validates before sending, so rarely will an email from me not check out.